Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco ScanCenter Administrator Guide, Release 5.2

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco ScanCenter Administrator Guide, Release 5.2

Chapter Title

Investigating Incidents

Results

Updated:
April 11, 2019

Chapter: Investigating Incidents

Investigating Incidents

Overview

Respond to an incident based on its confidence and risk levels:

  • High risk and high confidence. The endpoint is likely compromised with an advanced threat that has already circumvented signature or rule-based endpoint security. It is unlikely you will be able to remove the threat with endpoint cleaning tools. Reimage or rebuild the endpoint without backing up the user profile completely; backup documents only. When CTA detects an active malware infection, this usually requires manual action from your SOC and Desktop teams.

  • Medium confidence or medium risk. The endpoint likely contains malware that can be cleaned with endpoint cleaning tools. Run endpoint scanning and antivirus cleaning tools of your choice. Clean any infections found and monitor the endpoint. If the problem persists, perform a reimage and rebuild of the endpoint without backing up the user profile completely; backup documents only.

  • Everything else (low confidence and low risk). The endpoint may or may not be infected. The alert might be linked with the user following spam or phishing URLs. Perform a normal scan and remove any infections found. If nothing is found, monitor the endpoint for any escalations to prevent malware progress.

Confidence levels:

  • High (100% to 95%)

  • Medium (94% to 85%)

  • Low (84% to 0%)

Risk levels:

  • Critical (10)

  • High (9, 8)

  • Medium (7, 6)

  • Low (5, 4, 3, 2, 1)

Details

Procedure

Step 1

Information on malware blocked inline by AMP is found in the Malware Analysis section of the Reports tab.

Step 2

Information on files sandboxed by AMP during the after phase is found in the CWS Dashboard tab and AMP Blocks section. See Dashboard.

Step 3

Click the Threats tab and CTA Dashboard.

  1. Health status. Shows an overall summary of threats discovered in your network by their risk level. Unresolved users are grouped by risk category. Note that a high number of lower risk threats may lead to more serious threats over time.

  2. Relative threat exposure. Threat exposure based on your number of incidents and their risk level, compared to other companies within your same sector, similarly sized companies, and all companies globally.

  3. Specific behaviors. High-level breakdown of the detected threats and unresolved behaviors in your network.

  4. Highest risk. Unresolved incidents that currently pose the highest risk to your network and require your immediate attention.

  5. Top risk escalations. Unresolved incidents that have recently showed an increase in risk.
Step 4

Click the Threats tab and Confirmed.

  1. This section shows confirmed threats and breaches on your network (incidents with a 100% confidence level) and their associated information.

  2. Incidents detected with correlated behavior are grouped into a threat campaign, and each threat campaign is then labeled with a unique hash-tag group name.

  3. Threat campaigns are listed in the vertical panel at the right of the page. You can check the state boxes to filter what threat campaigns are shown in the panel.

  4. A higher risk number indicates a higher risk of the threat impacting your network. Prioritize your analysis by investigating higher risk threats including the incidents clustered within them.

  5. These incidents to not require much time for investigation; they require immediate action. Set up recovery processes to adjust your workflow for CTA findings.

  6. Review the threat-specific description and the recommended action for a more targeted remediation.

Step 5

Click the Threats tab and Detected.

  1. This section shows an overview of detected incidents, including noncorrelated CTA incidents and AMP retrospective incidents. You can also view the correlated CTA incidents that were grouped into threats in the Confirmed section.

  2. You can filter which incidents are shown by choosing AMP and/or CTA and adjusting the date selector, search field, preferences, and state.

  3. Use the Email Notifications page to enter email addresses to be sent a summary of new and updated incidents every 24 hours.

Step 6

To start investigating an incident, click that incident to review its details. Investigate incidents with higher risk and confidence first. An incident typically consists of multiple activities or types of suspicious behavior.

Step 7

Identify the affected device or server.

Step 8

The SHA-256 hash of any malicious files found is also listed here. Hover over the red skull-and-crossbones icon and click View full report to open the sandbox report in a new window. See Sandboxing.

Step 9

Inspect the parallel coordinates graph which at-a-glance shows information about the activities in the incident. Hover over each coordinate node in the line graph to show its interconnected information.

  1. Start with the highest severity and work your way down.

  2. Note the information in the Time column. Verify how long the malware activity has been reported. One of the characteristics of advanced malware activity is that the communication is persistent for a long time. If the incident has been reported for several days or weeks, it increases the chance that it was produced by advanced malware.

  3. Identify any recent ongoing activity. Focus on any activities that have occurred within the past 48 hours.

  4. Look for activities that occur in parallel and may suggest a C&C communication channel in use.

  5. Review the connected lines. Do the domains make sense together? Are they related? A domain with changing IP addresses is suspicious. Correlate it with the web flows table to determine if the domain was transferring data.

  6. Are activities tied to the same AS or different systems from different owners and different locations? May be an indicator of systems that have been hacked and used as attack sources.

Step 10

The graph can be used to filter web flows. Select and click one or more nodes to show the associated web flows.

  1. Note the box next to the server. A red box indicates a negative IP reputation for that server. Domain names are included. The negative IP reputation could indicate suspicious communication from a domain operated by an attacker.

  2. Note the HTTP status code returned from the server. A red box with an "x" next to the status code indicates that the flow was blocked by the web proxy. Focus on any incidents that have at least one command-and-control (C&C) channel which is not being blocked and thereby allowing the malware to operate.

  3. If a sandbox report of the file is available, an icon appears next to the SHA-256. Hover over the icon and click View full report to open the sandbox report in a new window. A red skull-and-crossbones icon indicates that the file was found to be malicious. See Sandboxing.

Step 11

Detected incidents have less than a 100% confidence level. Based on the details of the actual incident, the following factors may lower or raise the reported risk:

Lowers Risk Raises Risk
Reported activities are already blocked by the proxy. Reported activities are not already blocked by the proxy.
The incident characteristics (for ex. visited URLs) are distinct for one incident only. The incident characteristics (for ex. visited URLs) repeat for many users.
The total mass of the incident is one activity with a few requests. The incident detail shows long-term, heavy, and persistent behavior.
Incident detail displays a low amount of data transfer. Incident detail displays a high amount of data transfer, especially uploads.

What to do next

Analyze the information you gathered to conclude if this incident is a threat to your network. In the incident details page, mark the incident as resolved as threat, resolved as false positive, or resolved as ignored.

Follow your organization's standard incident response procedure to mitigate the threat. Collecting more threat intelligence from internal systems is a good practice before you perform any action. Keep in mind that you are operating in the after-breach phase of the attack continuum. This means that traditional security measures in the during phase may not have been successful in completely removing the threat and you may need to reimage the affected endpoint.


Note

To reduce the number of false positives, not all incidents are immediately blocked up front. Anomalies are detected and reported as incidents for investigation. After some analysis, monitoring, and tracking time, threats are confirmed to be blocked. However, threats like morphing malware may modify its behavior to avoid detection. Therefore, CTA persistently analyzes files over time and sends information to SenderBase to update the Web-Based Reputation Score (WBRS). Cisco Cloud Web Security may then block the threat, but this should not be considered the final, all-encompassing solution. Sometimes what Cisco Cloud Web Security blocks may be only part of the communication. For example, some malware may stash data and exfiltrate it later when you connect from a location not protected by Cisco Cloud Web Security. To be thorough, reimage the infected device.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

About Us
Contact Us
Work with Us